Re: CA and smart card logon kerberos error
From: Tim Springston [MSFT] (tspring_at_online.microsoft.com)
Date: Thu, 15 Jul 2004 13:42:34 -0500
Hi Lars, Francesco-
The error maps to the information below in the Troubleshooting Kerberos
whitepaper. That whitepaper can be downloaded from
0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
Associated internal windows error codes
Corresponding debug output messages
D_DebugLog("KLIN(%x) No pre-auth data in TGS request - not
Possible Cause and Resolution:
Smart card logon is being attempted and the proper certificate
cannot be located. This can happen because the wrong certificate authority
(CA) is being queried or the proper CA cannot be contacted.
1. Verify that there is a functioning CA on the domain.
2. Verify that the client can locate the CA.
Please reply if you hance followup questions or concerns.
-- Tim Springston Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Lars Olaussen" <Isolauss@hotmail.com> wrote in message news:O4VSAoMaEHA.2816@TK2MSFTNGP11.phx.gbl... > "Francesco B." <email@example.com> wrote ... > > > I setup a CA on a Windows 2000 Server and I'm having a problem logging > > on the domain with smart cards. When I try to log on to the server > with > > Administrator account or any other account I get a Logon Message > saying > > "Network request not supported". > > > > I enabled account access auditing and kerberos auditing through > registry > > settings, so I could be able to tell where the problem was occuring. > > The more relevant event it showed was Kerberos error core > > 0x10 KDC_ERR_PADATA_TYPE_NOSUPP in the System log. > > > > Can you guys help me out, I'm stuck on this one; I thought that after > > installing and correctly configuring the CA, issuing certificates and > mapping > > these certificates to the respective domain users I should've been ok. > > Seems I'm not. > > > Francesco, > > I'm not familiar with Kerberos error codes, but I would think that your > problem > is that you have not issued Domain Controller Certificates to your DCs. > > A requirement for smartcard logon is that the DC you use for > authentication > must have a DC certificate (all DCs should have certificate, to be sure > that > you always authenticate with a DC with a certificate). > > When both EE and DC have valid certificates, you have to be sure that > CRLs for all certificates in the chain are available. This is needed > because > smartcard logon requires full certificate path validation. > > To check the certificate on the smartcard, without performing a logon, > you > can use this command: > > dsstore -checksc > > You can also verify domain controller certificates with this command: > > dsstore -dcmon > > This document should be a good reference if you still have problems: > > http://www.microsoft.com/windows2000/techinfo/administration/security/smrtcrdtr.asp > > > Regards, > Lars Olaussen > Isolauss@hotmail.com > > >